The software industry has made wide use of access rights in many different kinds of applications, most notably operating systems and databases. Access rights are usually stored in static structures called access control lists (ACLs). Setting up, maintaining, and modifying ACLs is not a straightforward task. ACLs have limited scope and only regulate the relationship between data and immediate users of that data. There is presently no way to transmit access rights from a granting authority to a grantee and force the access rights to change upon receipt by the grantee. For example, if a user A is given access to a file X in a folder F located on a shared volume V, user A cannot be prevented from transmitting file X to any other individual or from transmitting any other file in the folder F as well.
Database systems also maintain protection schemes. Again, if a user B has access to a record R in a table T in a database D, as a rule, user B cannot be prevented from forwarding this information to third parties.
There are several current and emerging devices, systems, and policies for which privacy and security issues have become more acute. Computers, for example, are routinely under attack by viruses, worms and other malicious software. Computer users have been greatly inconvenienced by such software, suffering slowdowns, corrupted data and, at the extreme, lost or stolen data. Financial systems have also had their share of problems, ranging from lost to stolen information. Moreover, as an example of a national policy, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), mandates strict confidentiality rules for the handling of medical information.
The confidentiality and integrity of medical information, in particular, is of growing concern because the medical community has not seen sufficient urgency or need to modernize medical information systems. Presently, these systems are fragmented, archaic, unsecured, and incompatible with each other. Individuals increasingly express concerns about the privacy and security of their own personal medical information.
Today, databases containing information about hundreds, thousands, or even millions of individuals are treated as commodities to be bought, sold and exchanged by companies and individuals. Individuals referenced in these databases almost never know that their personal information has been sold or transmitted. Most of the time such exchanges and use of personal information are benign, but many recent cases of malicious use or pirated data cause great concern among government, industry and privacy groups. There is thus a need for tools that increase the security and privacy of information readily address issues raised by HIPAA and consumer concerns about personal data.